Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea

May 24, 2024, 8:29 a.m.

Description

An investigation by Bitdefender Labs uncovered a previously unidentified cyber threat actor called Unfading Sea Haze. This group has systematically targeted high-level organizations across countries in the South China Sea region. The extensive analysis spanned several years, revealing their evolving tactics, malware arsenal, and ongoing persistence. The primary objective appears to be espionage, with a focus on data exfiltration and surveillance of military and government entities. Unfading Sea Haze employs a sophisticated array of custom malware tools, including variants of the Gh0st RAT family and techniques like DLL sideloading. Their recent shift towards modular, fileless payloads showcases their adaptability in evading detection.

External References

https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea
https://otx.alienvault.com/pulse/66504dff129ce00f1deb99cc
Tags
malware
apt
espionage
2024-05-23
.net
dustyexfiltool
2024-05-24
unfading sea haze
silentgh0st
translucentgh0st
sharpjshandler

Date

  • Created: May 24, 2024, 8:21 a.m.
  • Published: May 24, 2024, 8:21 a.m.
  • Modified: May 24, 2024, 8:29 a.m.

Indicators

  • 93abcc4062a14ba3d3309fc5e8a910e81a4e3ce1bbbf5e6f7857779b6e76f43a
  • 7587ca6b8163e3e5b05e4a9fc79ec19deee9c971e6f76adadc4d970c99cad4f3
  • 6b5b8b12af21700a212d5ece27f065f8f9ed38b2969ad5dfaa790bc76754de6c
  • 1116efd48ca01623bf385cd612f4da1eb9eeba0329e41d0e068bcd6557a46f8f
  • 45.61.137.109
  • 193.149.129.128
  • 167.71.199.105
  • 188.166.224.242
  • 164.92.146.227
  • 152.42.198.152
  • 139.59.107.49
  • 128.199.66.11
  • 112.113.112.5
  • 128.199.166.143
  • 209.97.167.177
  • 192.153.57.24
  • 159.223.78.147
  • word.emldn.com
  • upupdate.ooguy.com
  • spcg.lunaticfridge.com
  • sopho.kozow.com
  • rest.redirectme.net
  • payroll.mywire.org
  • provider.giize.com
  • newy.hifiliving.com
  • message.ooguy.com
  • news.nevuer.com
  • manags.twilightparadox.com
  • mail.theworkguyoo.com
  • mail.simpletra.com
  • mail.adswt.com
  • mail.bomloginset.com
  • mail.pcygphil.com
  • images.emldn.com
  • link.theworkguyoo.com
  • linklab.blinklab.com
  • fc.adswt.com
  • employee.mywire.org
  • dns.g8z.net
  • dns-log.d-n-s.org.uk
  • bit.kozow.com
  • cdn.g8z.net
  • auth.bitdefenderupdate.com
  • api.simpletra.com
  • api.bitdefenderupdate.org
  • airst.giize.com
  • bitdefenderupdate.org
Download all indicators here!

Attack Patterns

  • SilentGh0st
  • TranslucentGh0st
  • SharpJSHandler
  • Unfading Sea Haze